this is v3 of a patch set which aims to introduce API tokens into PVE.
the basic idea is to allow users to generate API token values that
- are attributed to this users
- easily revokable
- possibly less privileged than the user itself
- allow direct API calls without round-trips to create/refresh a ticket
token information is stored in user.cfg together with the other
access-control information. the actual token values are stored in a
'shadow' token.cfg file under /etc/pve/priv, with verification happening
over a special IPCC call.
high-level changelog v2->v3:
- notoken -> allowtoken in method schema
- more tests
- addresses comments regarding pmxcfs C implementation
- pmg-api compat patch
high-level changelog v1->v2:
- incorporated review
- added shadow token.cfg + verification via IPCC
- API refinement
- pveum integration
- GUI integration 0.1
- new permissions API call
- fixed test cases
still missing:
- thorough review ;)
follow-up:
- improve GUI
- add proper documentation
- checking API endpoints for 'allowtoken => 0'-ification
- extend tests
p.s. don't judge me too hard for my lack of JS foo / blatant copying of
existing code ;) also, I am not very happy with the 'icon' used for API
token in the GUI, if someone knows a better one I am all ears :)
cluster:
Fabian Grünbichler (2):
pmxcfs: add verify_token IPCC request
cluster: add priv/token.cfg to observed files
data/src/cfs-ipc-ops.h | 2 ++
data/src/server.c | 55 ++++++++++++++++++++++++++++++++++++++++++
data/src/status.c | 1 +
data/PVE/Cluster.pm | 20 ++++++++++++++-
4 files changed, 77 insertions(+), 1 deletion(-)
pve-common:
Fabian Grünbichler (1):
API schema: add 'allowtoken' property
src/PVE/JSONSchema.pm | 6 ++++++
src/PVE/RESTHandler.pm | 3 +++
2 files changed, 9 insertions(+)
pve-access-control:
Fabian Grünbichler (20):
test: run at build time
fix typo
test: add parser/writer tests
API token: add REs, helpers, parsing + writing
API token: add check_token_exist API helper
API token: add (shadow) TokenConfig
API token: add verification method
API: add API token API endpoints
API: add group and token info to user index
API: include API tokens in ACL API endpoints
API token: implement permission checks
api: disallow some paths for API tokens
roles()/permissions(): also return propagate flag
API: add 'permissions' API endpoint
API token: add tests
tests: unify config file naming
API: add group members to group index
pveum: add 'pveum user token add/update/remove/list'
pveum: add permissions sub-commands
user.cfg: skip inexisting roles when parsing ACLs
Makefile | 1 +
PVE/Makefile | 1 +
test/Makefile | 3 +-
PVE/API2/ACL.pm | 30 +-
PVE/API2/AccessControl.pm | 60 ++
PVE/API2/Group.pm | 7 +
PVE/API2/User.pm | 315 ++++++++-
PVE/AccessControl.pm | 198 +++++-
PVE/CLI/pveum.pm | 72 +++
PVE/RPCEnvironment.pm | 97 ++-
PVE/TokenConfig.pm | 79 +++
debian/control | 1 +
test/parser_writer.pl | 1021 ++++++++++++++++++++++++++++++
test/perm-test1.pl | 7 +-
test/perm-test2.pl | 4 +-
test/perm-test3.pl | 4 +-
test/perm-test4.pl | 4 +-
test/perm-test5.pl | 4 +-
test/perm-test6.pl | 8 +-
test/perm-test7.pl | 4 +-
test/perm-test8.pl | 68 ++
test/{user.cfg.ex1 => test1.cfg} | 0
test/test6.cfg | 2 +-
test/test8.cfg | 28 +
24 files changed, 1957 insertions(+), 61 deletions(-)
create mode 100644 PVE/TokenConfig.pm
create mode 100755 test/parser_writer.pl
create mode 100644 test/perm-test8.pl
rename test/{user.cfg.ex1 => test1.cfg} (100%)
create mode 100644 test/test8.cfg
http-server:
Fabian Grünbichler (1):
api-server: extract, set and handle API token header
Tim Marx (1):
allow ticket in auth header as fallback
PVE/APIServer/AnyEvent.pm | 34 +++++++++++++++++++++-------
PVE/APIServer/Formatter.pm | 21 ++++++++++++-----
PVE/APIServer/Formatter/Bootstrap.pm | 1 +
3 files changed, 42 insertions(+), 14 deletions(-)
pve-manager:
Fabian Grünbichler (9):
auth_handler: handle API tokens
rest_handler: implement 'allowtoken' property
pveproxy: use new cookie extraction method
api/tasks: attribute token tasks to user
www: add 'users' columns to Groups model
www: add permissions button to userview
www: add Token Panel + Edit Window
www: add Token to ACL
www: add TokenView with fixed userid
www/manager6/Makefile | 4 +
PVE/API2/Cluster.pm | 3 +
PVE/API2/Tasks.pm | 15 ++
PVE/HTTPServer.pm | 60 ++++---
PVE/Service/pveproxy.pm | 2 +-
www/manager6/Workspace.js | 10 ++
www/manager6/dc/ACLView.js | 23 ++-
www/manager6/dc/Config.js | 8 +
www/manager6/dc/GroupView.js | 6 +
www/manager6/dc/PermissionView.js | 167 ++++++++++++++++++
www/manager6/dc/TokenEdit.js | 125 +++++++++++++
www/manager6/dc/TokenView.js | 275 +++++++++++++++++++++++++++++
www/manager6/dc/UserView.js | 14 +-
www/manager6/form/GroupSelector.js | 8 +-
www/manager6/form/TokenSelector.js | 91 ++++++++++
15 files changed, 781 insertions(+), 30 deletions(-)
create mode 100644 www/manager6/dc/PermissionView.js
create mode 100644 www/manager6/dc/TokenEdit.js
create mode 100644 www/manager6/dc/TokenView.js
create mode 100644 www/manager6/form/TokenSelector.js
pmg-api:
Fabian Grünbichler (1):
ensure compatibility with libpve-http-server-perl
src/PMG/HTTPServer.pm | 4 +++-
src/PMG/Service/pmgproxy.pm | 2 +-
2 files changed, 4 insertions(+), 2 deletions(-)
--
2.20.1
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
